IDA Pro Malware Analysis Tips
113,697
Published 2017-11-04
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
www.patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
PE Mapped Virtual Address vs. Offset In Binary File: 02:55
IDA Pro Layout Tips: 05:10
Dynamically Resolving APIs: 08:10
IDA Pro Remote Debugger Setup and Use: 09:06
Walking Call Chain From Hooked API Back To Malware: 22:59
Using Memory Snapshots To Unpack Malware (Quick Unpacking): 40:07
Win32 API Calls and The Stack (How To Change Arguments On The Fly): 46:28
IDA Pro Remote Debugger (Debugging a DLL): 01:16:32
PE basics including how a PE is mapped in memory:
www.delphibasics.info/home/delphibasicsarticles/an…
www.delphibasics.info/home/delphibasicsarticles/an…
Link to the most excellent IDA Pro book:
www.nostarch.com/idapro2.htm
Microsoft calling conventions:
msdn.microsoft.com/en-us/library/k2b2ssfy.aspx
RegTestUPX1.exe (benign demo application, safe to run):
www.virustotal.com/en/file/31e8a11960d0492b6424135…
final_unmapped.dll (DLL demo **WARNING REAL MALWARE ONLY RUN IN A VM)
www.virustotal.com/en/file/275f927f5cc809ebba57c6e…
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net/
#IDAPro #ReverseEngineering #MalwareAnalysis
All Comments (21)
-
just wanna say thanks alot for this vid. i really learnt alot from your practical tips. the ida/debugger dll base address offsetting, explanations on breakpoint at ordinal vs dll entry point, etc. legit droppin gold nugs!
-
Thank you man :-) Really happy that I found your channel :-)
-
I loved the tutorial. thank you very much for your time and effort to bring it to us.
-
Thank you so much for everything, I'm learning a lot from your videos.
-
Your unpacking technique is saving me a lot of time everyday :)
-
Excellent video, thanks for making!
-
Awesome videooo loveeee it can't wait till you get into kernel so detailed I'm going to be watching your videos all day😊😊
-
This is awsome man...keep posting
-
Awsome video. Really enjoyed watching it
-
Truly epic tutorial! Kudo's guys. This is THE best IDA/Malware tutorial I have seen on the net. You guys surpass all! btw, did you know that if you place your cursor somewhere and press F4 it will run until that point. This works in most other debuggers and removes the need to manually set and remove breakpoints :) Also in the last exercise you guys are reversing a DLL. If you simply use View->Open subviews->Functions you should be able to see 'DllEntryPoint' therefore need not calculate DLL rebasing. Good practice though :) Stellar guys....just awesome :) More tutorials! pls I have learnt so much.
-
very useful video, made a lot of bookmarks
-
Excellent. Give us more.
-
I really appreciate this man! <3
-
the best ida tutorial ever seen.Cool
-
What was the plugin you have installed that caused the crash? I have the same problem. Also this is a fantastic tutorial, I really needed something like this to supplement while reading the IDA Pro book, so thanks a bunch.
-
You're awesome! Thank you for your time, efforts and knowledge :) Can you please make a video in which you make something like a long-term roadmap for beginners to learn malware analysis?
-
Amazing! Thanks!
-
Melhor dos treinamento, isso porque faço analise de malwares e apreendi muito com esses vídeos teóricos e práticos. Thanks.
-
Very good tutorial. Interesting observation though. In my setup I run two virtual win10 64bit. then the API call (openKeyexW) goes to kernelbase and not advapi32. IDA says advapi32 but if you follow the execution you will see that it goes to kernelbase.
-
First of all great tutorial. Just getting into Malware analysis (currently reading Practical Malware Analysis) and your tutorials are some of the best I've seen so far. Just a question regarding setting breakpoints after taking memory snapshots (I'm not sure it really makes sense). If ASLR is turned off, shouldn't the base of the exe + stack, heap and libraries be mapped to the same locations in memory, hence allowing you to keep the breakpoints from one run to the other after unpacking?